Blog: Beware of evolving cybercrime threat
Elizabeth Comerford discusses the strategies cybercriminals use against lawyers and some of the precautions firms can take.
Cyber fraud is a continuing, ever-evolving and increasingly sophisticated threat to the legal profession. In December 2016, the Solicitors Regulation Authority (the regulator in England and Wales) identified conveyancing fraud as the most common cyber-crime in the legal sector.
A total of £7 million of client losses were reported via fraudulent activity, 75 per cent falling for the ‘Friday afternoon fraud’, whereby law firms are tricked into giving bank details on the busiest day of the week when conveyancing transactions are generally being completed.
The Scottish government and Police Scotland are working on systems to classify cybercrimes but currently, unlike the rest of the UK, there are no dedicated cybercrime statistics available.
However professional service firms in Scotland are clearly at risk. Like their southern counterparts, they hold large amounts of sensitive client information and financial data, making them an obvious target for cyber criminals. Recent figures indicate severe breaches can cost small to medium-sized businesses more than £300,000; a huge loss in addition to reputational damage.
How does cybercrime operate in the conveyancing domain? Popular notions of cyber fraud (a hoodie-wearing lone hacker in a darkened room) are outdated. The majority of these crimes are operated by criminal gangs, often from Russia and China, scanning computer systems looking for potential vulnerabilities to exploit. Friday afternoon fraud is an email interception scam. The most common act involves the client receiving an e-mail purportedly from their ‘lawyer’ asking them to transfer a sum of money, such as a deposit for their new home, into a specific bank account. The email address the communication is generated from is identical, not merely similar, to that of their lawyer. Once the money has been paid, the criminals drain the accounts.
Last year, English charity worker Howard Mollett lost £67,000 after cyber criminals intercepted emails between him and his conveyancing solicitor. Mollett claimed his solicitor hadn’t warned him about the risk, posing the question of whether law firms should do more to educate clients.
The Law Society of Scotland circulated a Guide to Cybersecurity to all Scottish law firms in 2017. Creating an effective strategy is twofold. Clients need to be educated and warned about potential risks, specifically of email interception, and law firms need to be constantly vigilant.
The following tips can help:
- Ensure all staff are vigilant, regularly run firewall updates, anticipate the unexpected and don’t open e-mails from unknown addresses.
- Use out-of-office sparingly and leave a generic e-mail address as a point of contact (if a fraudster establishes someone has a valid and functioning email address, they can steal it and sell onto the black market).
- Establish a clear policy on data use.
- Make staff aware of dangers of using public Wi-Fi.
- Block potential spam addresses.
- Advise clients at the outset that you won’t change bank details throughout the course of their transaction.
- Ask clients for more details for example, consider using security questions
- Advise clients if you send something by post not to expect any e-mails.
- Registered post is good practice when passing on important things like bank details.
Millar & Bryce is part of a wider group of companies under the Landmark Information Group umbrella, committed to making property transactions efficient and secure.
Lender Exchange, from Decision First (a Landmark Information Group joint venture company), is a secure portal that provides law firms with the mechanism to exchange sensitive information with lenders in conjunction with the management of conveyancing panels.
More and more lenders are seeking additional information to satisfy regulatory requirements around due diligence. Often the information required is identical, and providing this can be time-consuming for law firms. On top of this, lenders need to have the most current information on firms and their practices to ensure such property purchases can continue without delay, and indeed without risk of fraud.
Lender Exchange aims to minimise the costs and administrative burden on conveyancing firms responding to regular duplicate information requests from multiple lenders and help lenders minimise fraud and negligence through robust due diligence. Firms already on Lender Exchange can confirm the client account details of any other firm on Lender Exchange.
Cybercrime is a lot to think about but raising awareness in the profession is crucial. So much so that the University of Dundee is introducing the subject to prospective new lawyers in their forthcoming academic year for the first time.
Fraud continues to concern us all, and as technology and new ways to gain information continuously evolve, we can work together to minimise the risks we all face today.
Elizabeth Comerford is a senior lecturer at the University of Dundee. This article first appeared in The Scotsman.